def test_regenerate_token(self):
organization = self.create_organization()
member = OrganizationMember(organization=organization, email="*****@*****.**")
assert member.token is None
assert member.token_expires_at is None
member.regenerate_token()
assert member.token
assert member.token_expires_at
expires_at = timezone.now() + timedelta(days=INVITE_DAYS_VALID)
assert member.token_expires_at.date() == expires_at.date()
def test_regenerate_token(self):
organization = self.create_organization()
member = OrganizationMember(
organization=organization,
email='*****@*****.**')
assert member.token is None
assert member.token_expires_at is None
member.regenerate_token()
assert member.token
assert member.token_expires_at
expires_at = timezone.now() + timedelta(days=INVITE_DAYS_VALID)
assert member.token_expires_at.date() == expires_at.date()
def put(
self,
request: Request,
organization: Organization,
member: OrganizationMember,
) -> Response:
serializer = OrganizationMemberSerializer(data=request.data,
partial=True)
if not serializer.is_valid():
return Response(status=400)
try:
auth_provider = AuthProvider.objects.get(organization=organization)
auth_provider = auth_provider.get_provider()
except AuthProvider.DoesNotExist:
auth_provider = None
allowed_roles = None
result = serializer.validated_data
# XXX(dcramer): if/when this expands beyond reinvite we need to check
# access level
if result.get("reinvite"):
if member.is_pending:
if ratelimits.for_organization_member_invite(
organization=organization,
email=member.email,
user=request.user,
auth=request.auth,
):
metrics.incr(
"member-invite.attempt",
instance="rate_limited",
skip_internal=True,
sample_rate=1.0,
)
return Response({"detail": ERR_RATE_LIMITED}, status=429)
if result.get("regenerate"):
if request.access.has_scope("member:admin"):
member.regenerate_token()
member.save()
else:
return Response({"detail": ERR_INSUFFICIENT_SCOPE},
status=400)
if member.token_expired:
return Response({"detail": ERR_EXPIRED}, status=400)
member.send_invite_email()
elif auth_provider and not getattr(member.flags, "sso:linked"):
member.send_sso_link_email(request.user, auth_provider)
else:
# TODO(dcramer): proper error message
return Response({"detail": ERR_UNINVITABLE}, status=400)
if "teams" in result:
# dupe code from member_index
# ensure listed teams are real teams
teams = list(
Team.objects.filter(organization=organization,
status=TeamStatus.VISIBLE,
slug__in=result["teams"]))
if len(set(result["teams"])) != len(teams):
return Response({"teams": "Invalid team"}, status=400)
with transaction.atomic():
# teams may be empty
OrganizationMemberTeam.objects.filter(
organizationmember=member).delete()
OrganizationMemberTeam.objects.bulk_create([
OrganizationMemberTeam(team=team,
organizationmember=member)
for team in teams
])
if result.get("role"):
_, allowed_roles = get_allowed_roles(request, organization)
allowed_role_ids = {r.id for r in allowed_roles}
# A user cannot promote others above themselves
if result["role"] not in allowed_role_ids:
return Response(
{
"role":
"You do not have permission to assign the given role."
},
status=403)
# A user cannot demote a superior
if member.role not in allowed_role_ids:
return Response(
{
"role":
"You do not have permission to assign a role to the given user."
},
status=403,
)
if member.user == request.user and (result["role"] != member.role):
return Response(
{"detail": "You cannot make changes to your own role."},
status=400)
member.update(role=result["role"])
self.create_audit_entry(
request=request,
organization=organization,
target_object=member.id,
target_user=member.user,
event=AuditLogEntryEvent.MEMBER_EDIT,
data=member.get_audit_log_data(),
)
context = self._serialize_member(member, request, allowed_roles)
return Response(context)
